Choosing Secure Extensions

The most important thing anyone can do is make good decisions regarding the extensions they choose to use in a site. Once an insecure or malicious extension is installed you should consider your entire site compromised. There is no possible way to protect or stop a component from accessing database tables it should not be accessing. There is no possible way to stop a component from sending all of the information it found back to a hacker's website. Once an insecure or malicious component is installed, your entire site is insecure.

Useful Questions to Ask

When was the last version released?

If it has been over a year, consider the project abandoned and find something else. Do not install old components.

What kind of release is it (stable, release candidate, beta, alpha)?

For production sites you should be sticking to stable releases as much as possible. If you cannot wait until a stable release has been made available, release candidates are the only other option you should consider. It's not suggested that anyone install any beta or alpha extensions on a production site. This means they still have bugs, they have not been tested enough, and could have any number of inconvenient security issues that have not been located or fixed.

Does the extension have a history of good security practices?

This is obviously a bit more subjective but it is still a very valid gauge of future trustworthiness. It requires a bit of investigation and research. Look around the developer's download pages and archives. Are there many security release or patches? Are there a lot of reports of hacking activity through this extension? Is the developer experienced and security conscious? What do other community members think of this extension?

Is there a support community for this extension?

This is very important for usability and security awareness. If there is a support community for an extension there is a better chance of security issues being known and resolved. A support community means that people would like to continue using the extension and that they care about the extension. This furthers the chance that security issues will be found, disclosed and dealt with promptly.

Is there a version compatible with Joomla 3?

While this does not in itself make an extension insecure, it's important to know if the extension is compatible with Joomla 3. Joomla 2.5 will reach it's end of life in the near future. Updating Joomla versions is much easier if an extension is compatible with the most recent version of Joomla available.